Professional Documents
Culture Documents
Evidence Acquisition
Network Forensics
Table of Contents
3.1 Physical Interception
3.2 Traffic Acquisition Software
3.3 Active Acquisition
3.4 Conclusion
3
Pidgeon Sniffing?
• IP networks can be built upon a wide variety of physical
media
3.1.1 Cables
• Cables allow for point-to-point connections between stations.
• The most common materials for cables are copper and fiber.
▫ Copper
▫ Optical
▫ Intercepting Traffic in Cables
6
• The purpose of the CAM table is to allow the switch to isolate traffic on
a port-byport basis so that each individual station only receives traffic
that is destined for it, and not traffic destined for other computers.
• Later, when the switch receives a packet destined for that device, it
looks up the MAC address and corresponding port in the CAM table.
• It then sends the packet only to the appropriate port, encapsulated with
the correct Layer 2 Ethernet address.
• Using BPF filters, you can decide which traffic to capture and
inspect and which traffic to ignore.
3.2.3 tcpdump
• Tcpdump is a tool for capturing, filtering, and analyzing
network traffic.
• Tcpdump was designed as a UNIX tool.
• The basic purpose of tcpdump is to capture network traffic
and then print or store the contents for analysis.
▫ Tcpdump captures traffic bit-by-bit as it traverses any
physical media suitable for conducting link-layer traffic.
▫ Tcpdump can decode common Layer 2 through 4 protocols
3.2.4 Wireshark
• Wireshark is a graphical, open-source tool designed for capturing,
filtering, and analyzing traffic.
• Wireshark allows you to capture packets on any system network
interface, assuming you have appropriate permissions to do so and
your network card supports sniffing.
35
3.2.5 tshark
• Tshark is a command-line network protocol analysis tool
that is part of the Wireshark distribution.
• it is libpcap-based, and can read and save files in the
same standard formats as Wireshark.
• The example
▫ shows tshark capturing traffic on the network interface
“eth0,” filtering out all port 22 traffic, and storing the
results in the file “test.pcap.”
3.2.6 dumpcap
• The Wireshark distribution also comes with a command-
line tool, “dumpcap,” which is specifically designed to
capture packets.
• Dumpcap is a specialized tool designed just for capturing
packets, it takes up fewer system resources, maximizing
your capture capabilities.
• Dumpcap automatically writes packet captures to a file.
3.3.1.1 Console
• The console is an input and display system, usually a
keyboard and monitor connected to a computer.
• Many network devices have a serial port that you can use to
connect a terminal to the console
3.3.3 Strategy
• Refrain from rebooting or powering down the device.
▫ A lot of network-based evidence exists as volatile data in the
memory of network devices.
• Connect via the console rather than over the network.
▫ Connecting to a device over the network will necessarily
generate network traffic.
• Record the system time
▫ Even a small time skew can make it very difficult to
correlate evidence
• Collect evidence according to level of volatility.
▫ Collect the most volatile evidence first
• Record your investigative activities
▫ Recording your own commands also helps you stay
organized
▫ Take screen captures, photos or recordings of your
graphical connections.
51
Q&A
Network Forensics